Post

Critical Flaws in vBulletin Forum Software Exploited in Real-World Attacks

Posted
By Vitus White
2 min read
Critical Flaws in vBulletin Forum Software Exploited in Real-World Attacks

TL;DR

  • Two critical vulnerabilities in vBulletin forum software, tracked as CVE-2025-48827 and CVE-2025-48828, have been discovered.
  • These flaws enable API abuse and remote code execution, with one of them actively being exploited in real-world attacks.
  • Affected versions range from 5.0.0 to 5.7.5 and from 6.0.0 to 6.0.3, specifically when running on PHP 8.1 or newer.

Critical Vulnerabilities Discovered in vBulletin Forum Software

Security experts have identified two critical vulnerabilities in the vBulletin forum software, which are being actively exploited in real-world attacks. These flaws, tracked as CVE-2025-48827 and CVE-2025-48828, allow for API abuse and remote code execution, posing significant security risks.

Vulnerability Details

  1. CVE-2025-48827:
    • Severity: CVSS score of 10
    • Description: An unauthenticated user can invoke protected API controllers’ methods when running on PHP 8.1 or later.
    • Exploit Pattern: /api.php?method=protectedMethod
  2. CVE-2025-48828:
    • Severity: CVSS score of 9
    • Description: Attackers can run arbitrary PHP code by abusing template conditionals.

Both vulnerabilities were exploited in May 2025 and affect vBulletin versions from 5.0.0 to 5.7.5 and from 6.0.0 to 6.0.3, specifically when running on PHP 8.1 or newer 1.

Discovery and Impact

Security researcher Egidio Romano discovered these vulnerabilities on May 23, 2025. The flaws allow attackers to exploit template conditionals and misuse protected methods, leading to remote, unauthenticated code execution. Romano also published a Proof of Concept (PoC) exploit for these issues 2.

Romano’s analysis emphasizes the importance of reviewing frameworks and custom APIs for access restrictions and method visibility. He suggests that this vulnerability class might be ripe for further exploration in other PHP platforms, including custom CMS platforms and legacy enterprise code 3.

Active Exploitation

By May 26, exploit attempts targeting the vulnerable replaceAdTemplate API endpoint were observed in the wild, potentially giving attackers server access. Researcher Ryan Dewhurst confirmed active exploitation, noting that an IP based in Poland was actively exploiting the vulnerability 4.

Dewhurst highlighted the availability of a Nuclei template for the vulnerability since May 24, 2025, which likely facilitated the attacks 5.

Timeline of Events

  • May 23, 2025: Vulnerabilities discovered by Egidio Romano.
  • May 26, 2025: Exploit attempts observed in the wild.
  • May 26, 2025: Active exploitation confirmed by Ryan Dewhurst.

Follow for Updates

Stay informed with the latest security news by following:

For more details, visit the full article: Security Affairs

Conclusion

The discovery and active exploitation of these critical vulnerabilities in vBulletin forum software underscore the importance of vigilant security practices. Users and administrators are urged to update their software and implement robust security measures to protect against such threats.

References

  1. “Two Flaws in vBulletin Forum Software Are Under Attack”. Security Affairs. June 1, 2025 ↩︎

  2. Egidio Romano. “Don’t Call That Protected Method: vBulletin RCE”. KarmainSecurity. May 23, 2025 ↩︎

  3. Egidio Romano. “Don’t Call That Protected Method: vBulletin RCE”. KarmainSecurity. May 23, 2025 ↩︎

  4. Ryan Dewhurst. “vBulletin replaceAdTemplate Kev”. Blog.Kevintel. May 26, 2025 ↩︎

  5. Ryan Dewhurst. “vBulletin replaceAdTemplate Kev”. Blog.Kevintel. May 26, 2025 ↩︎

Cybersecurity & Data Protection, Vulnerabilities
cybersecurity threat-intelligence vbulletin
This post is licensed under CC BY 4.0 by the author.